syntax = "proto3";

package kuma.mesh.v1alpha1;

option go_package = "github.com/kumahq/kuma/api/mesh/v1alpha1";

import "api/mesh/options.proto";
import "validate/validate.proto";
import "google/protobuf/wrappers.proto";

import "api/system/v1alpha1/datasource.proto";
import "kuma-doc/config.proto";

option (doc.config) = {
  type : Policy,
  name : "ExternalService",
  file_name : "external-service"
};

// ExternalService defines configuration of the externally accessible service
message ExternalService {

  option (kuma.mesh.resource).name = "ExternalServiceResource";
  option (kuma.mesh.resource).type = "ExternalService";
  option (kuma.mesh.resource).package = "mesh";
  option (kuma.mesh.resource).kds.send_to_zone = true;
  option (kuma.mesh.resource).ws.name = "external-service";

  // Networking describes the properties of the external service connectivity
  message Networking {
    // Address of the external service
    string address = 1 [ (doc.required) = true ];

    // TLS
    message TLS {
      // denotes that the external service uses TLS
      bool enabled = 1;

      // Data source for the certificate of CA
      kuma.system.v1alpha1.DataSource ca_cert = 2;

      // Data source for the authentication
      kuma.system.v1alpha1.DataSource client_cert = 3;

      // Data source for the authentication
      kuma.system.v1alpha1.DataSource client_key = 4;

      // If true then TLS session will allow renegotiation.
      // It's not recommended to set this to true because of security reasons.
      // However, some servers require this setting, especially when using
      // mTLS.
      google.protobuf.BoolValue allowRenegotiation = 5;

      // ServerName overrides the default Server Name Indicator set by Kuma.
      // The default value is set to "address" specified in "networking".
      google.protobuf.StringValue server_name = 6;

      // If true then hostname verification will be skipped during certificate
      // verification.
      google.protobuf.BoolValue skipHostnameVerification = 7;
    }

    TLS tls = 2;

    // If disableHostDNSEntry is set to true then a DNS entry for the external
    // service taken from 'networking.address' won't be generated.
    // You can still reach this external service using
    // external-service-name.mesh:80 where "external-service-name" is taken from
    // "kuma.io/service" tag.
    bool disableHostDNSEntry = 3;
  }

  Networking networking = 1 [ (doc.required) = true ];

  // Tags associated with the external service,
  // e.g. kuma.io/service=web, kuma.io/protocol, version=1.0.
  map<string, string> tags = 2
      [ (validate.rules).map.min_pairs = 1, (doc.required) = true ];
}
